azure-devops-cli
Warn
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous examples for executing powerful Azure CLI commands that modify the state of an Azure DevOps organization.
- Evidence: Commands in
references/org-and-security.mdallow for managing users (az devops user add/remove), security groups (az devops security group create/delete), and security permissions (az devops security permission update/reset). - Evidence: The skill documents the installation of Azure DevOps organization extensions using
az devops extension installinreferences/org-and-security.md. - [EXTERNAL_DOWNLOADS]: Fetches installation scripts from a remote source.
- Evidence:
SKILL.mdincludes a command to download and execute the Azure CLI installation script from Microsoft's official infrastructure:curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash. - [CREDENTIALS_UNSAFE]: The skill provides patterns for handling sensitive authentication tokens and service principal keys that involve local storage.
- Evidence:
references/workflows-and-patterns.mdcontains a script that writes service principal keys to a local JSON file (service-connection.json) before using it to create a service endpoint. - Evidence:
SKILL.mdandreferences/workflows-and-patterns.mddescribe using Personal Access Tokens (PAT) for authentication, including piping them to theaz devops logincommand. - [DATA_EXFILTRATION]: Automation patterns include sending data to external endpoints.
- Evidence: The
monitor_pipelinefunction inreferences/workflows-and-patterns.mdusescurlto send pipeline failure alerts and run IDs to an external Slack webhook. - [PROMPT_INJECTION]: The skill exposes a surface for indirect prompt injection where untrusted data is processed without sanitization.
- Ingestion points: Untrusted data enters the context through git commit messages (
git log -1 --pretty=%B), build environment variables (BUILD_BUILDNUMBER), and pipeline run metadata fetched from the API as seen inreferences/workflows-and-patterns.md. - Boundary markers: Automation scripts lack delimiters or sanitization logic when interpolating these variables into CLI command arguments.
- Capability inventory: Processed data is used in commands that create pull requests (
az repos pr create), work items (az boards work-item create), or send network requests (curl). - Sanitization: No escaping or validation of external content is present in the provided shell script examples.
Audit Metadata